Credit card and debit card, or “payment card,” processing involves a number of parties, including a card association, an issuer, a cardholder, an acquirer, and a merchant.
When a potential cardholder, such as an individual or an organization, wants a payment card, they approach an issuer. The issuer is a financial institution. If the potential cardholder meets certain requirements (e.g., credit rating, account balance, income, etc.), the issuer may choose to issue a payment card to the cardholder. The payment card contains sensitive information about the cardholder, including the cardholder's identity and account information, which enables the cardholder to transfer funds from an account held by the issuer or to draw against a corresponding line of credit provided by the issuer.
A cardholder makes a purchase, or initiates a transaction, with the payment card by presenting the same to a merchant. Information obtained from the payment card by the merchant is then processed. The information may be processed using equipment that may be provided by an acquirer, which is a financial institution with which the merchant has an established relationship. As the information is processed, it is transferred to a card association (e.g., VISA, MASTERCARD, etc.), either directly from the merchant or through the acquirer. The card association transmits the information about the transaction to the issuer. The issuer then authorizes or declines the transaction. If the transaction is authorized, the issuer funds the transaction by transferring money to the acquirer through the card association. When a debit card is used, funds are transferred from the cardholder's account with the issuer to the acquirer. When the cardholder uses a credit card, the cardholder incurs a debt with the issuer, for which the cardholder must eventually reimburse the issuer.
Whenever a cardholder uses a payment card to make a purchase, the merchant obtains information, including the account number, from the payment card. While that information may be obtained in a number of ways, the merchant typically uses some type of electronic processing equipment to transmit the information, by way of a communication element (e.g., an Internet connection, etc.) to its acquirer or a card association. Sometimes the information is stored in memory associated with the processing equipment. That information may be stored in groups that include long strings of data.
Since the processing equipment includes a communication element, any memory associated with the processing equipment may be subject to hacking. Thus, any information stored in memory associated with processing equipment may be subject to theft. When payment card information is stolen, that information may be used to make unauthorized purchases.